On Fri, Sep 21, 2007 at 11:12:10PM -0400, user@domain.invalid.holland-consulting.net wrote:
quoted text
> Douglas A. Tutty wrote:
> ...
> > I don't understand the logic of having multiple firewalls on one box.
> > If one box can handle the throughput requirements of all the NICs, why
> > not just one big firewall?
> 
> There are lots of places where multiple firewalls are better than a
> single firewall.  If one believed in the idea of "a perfect VM
> environment", it could make sense to do that.
> 
> 1) Unrelated projects: If Project A and Project B are not related,
> keeping them on separate firewalls can simplify the rule sets and
> administration.
> 
> 2) Separate administration: If you run a data center with lots of
> different people managing different systems, "They" can administer their
> systems without having access to (or messing with) "My" systems'
> firewall.  When they screw up their rules, they don't break my systems
> (and I guess it works the other way, too. :)  Note this has some
> cross-training benefit, too. I can be the Firewall Deity, but I do want
> to go on vacation. Fred may be a Firewall Jester, but with a bit of
> practice, he could possibly back me up very effectively.  So, Fred
> manages a firewall for his projects, when he screws up, he learns
> lessons on a simple system, and when I am not there, he can babysit
> the "big" firewall, and if I get run over by a bus, he knows how to
> keep all the systems running.
> 
> 3) Isolation: I had set up a firewall for a web app some time back.  I
> had ZERO trust in the skills of the web developers, and even less for
> their security programming skills (and similar trust in my skills to
> audit their code).  So, I stuck their app on its own firewall,
> completely isolated from our production environment.  I also made sure
> that the various machines in the thing were each attached to their own
> leg of the firewall, so that we really had several layers of security
> between the Internet (bad guys) and the database (the valuable stuff).
> You would have to knock over Apache, then the app, then the DB to get to
> the data.  Even then, they get to a DB Server which had ONLY THE BARE
> MINIMUM data required to accomplish the task at hand.  If it wasn't for
> this design, you can be sure that database server would end up serving a
> lot of things as, k Oracle licenses don't grow on trees. :)
> (I'm actually rather amazed they went for this.  If you look at all the
> money they spent on the non-free parts of this system, it ended up
> costing probably /hit this site has received).  If this firewall
> ended up getting knocked over, they would still have no access to the
> real company jewels, just a few shiny pebbles.  This entire system could
> also be picked up and moved to some other location without much
> difficulty, if we wanted to co-locate the system.
> 
> 
> If you spend too much money on a commercial firewall product, you might
> wish to convince yourself that "centralized administration" is best,
> and all that and want to run everything through one monster firewall,
> but for real-life, there are places where it makes more logical sense
> to split things up.

Hi Nick.

I understand your reasons.  To me they look like reasons for separate
firewalls on separate boxes.  In the scenarios you mention, would you
put separate firewalls on one machine?   

If I was going to put them all on one machine, I'd separate the
administration of the box itself (me) from the people responsible for
rule sub-sets.  E.g. if one sub-firewall is dealing with traffic between
NICs 1 & 2 (call it channel A), another between NICs 3 & 4 (call it
channel B), I'd have the channels A and B admins submit rules sub-sets
via rsync to the box.  My script would then sanity check (ensure that
they only dealt with the interfaces they were assigned) then incorporate
all of them into a master rule-set that would then get tested and then
put on-line.  I would think that this, being only one firewall, would be
simpler than several firewalls in VMs on one box;  possibly more secure
given the comments in this thread about the porus isolation between VMs.

That's just how I would think of it.  OTOH, I've never done any
virtualization and never been into a proper data center.

Doug.